Examiners are increasingly focused on your vendor management efforts, and expect you to utilize every opportunity to more effectively manage the relationship. Attending user groups and user conferences can be a very effective way to connect with and influence critical vendors, while simultaneously educating yourself on your existing products as well as new and emerging technology.
Since we are in the season of vendor user groups and conferences, you should strongly consider taking advantage of these opportunities, especially for your more critical vendors. And if you need additional justification beyond best-practice (perhaps to convince budget-conscience senior management), here is some regulatory support for user groups and education:
Regulatory Support for User Groups
“User groups are another mechanism financial institutions can use to monitor and influence their service provider. User groups can participate and influence service provider testing (i.e., security, disaster recovery, and systems) as well as promote client issues. Independent user groups can monitor and influence a service provider better than its individual clients. Collectively, the group will constitute a significant portion of the service provider’s business.” – FFIEC IT Examination HandBook, Outsourcing Technology Services, Risk Management, On-going Monitoring
“User groups offer advantages to both the TSP and the serviced institution by allowing customers to discuss and prioritize their concerns…TSP’s should obtain customer feedback though user groups or customer surveys.” – FFIEC IT Examination HandBook, Management, Management Considerations for Technology, Customer Service
To evaluate the quality or vendor risk management, examiners are expected to evaluate the financial institution’s use of user groups and other mechanisms to monitor and influence the service provider. – FFIEC IT Examination HandBook, Outsourcing Technology Services, Appendix D, MSSP Examination Procedures
Prior to engaging the vendor and prior to implementing a new product or service with an existing vendor, the institutions due diligence process should include references from current users or user groups about a particular vendor’s reputation and performance. – FFIEC IT Examination HandBook, Outsourcing Technology Services, Appendix D, MSSP Examination Procedures
Regulatory Support for Education
“Effective managed security service provider (MSSP) oversight requires an FI to maintain adequate in-house technical expertise. This enables the FI to monitor and maintain acceptable risk exposure and confirm the MSSP is fulfilling contractual obligations. Education and awareness for FI employees is necessary to help ensure:
- The MSSP is effectively managing the relevant information security risk;
- Personnel understand the processes, procedures, and protocols of the MSSP, including the use of subcontractors; and
- FI management understands:
- What data the MSSP is collecting and who has access to the data;
- Information in audit reports and security testing of the MSSP; and
- How to measure a successful relationship.”
– FFIEC IT Examination HandBook, Outsourcing Technology Services, Appendix D, MSSP Examination Procedures
One of the ways Institutions are expected to manage an MSSP relationship is by evaluating the training, education, and awareness provided by the MSSP to the FI. – FFIEC IT Examination HandBook, Outsourcing Technology Services, Appendix D, MSSP Examination Procedures
So are you doing all you can to manage your vendor relationships? If your critical service providers offer a forum for educating users and sharing information, and you choose NOT to attend, you may not only be missing a great opportunity, you may be out of compliance!
Safe Systems offers an annual national users conference for our 600 financial institution clients that provides educational sessions on the latest in technology, information security, and regulatory compliance, as well as user feedback sessions and peer interaction. http://conference.safesystems.com/